Create rule S6751: PyPI tokens should not be disclosed (APPSEC-1073) (#3021)

You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6751/secrets) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2023-09-15 15:25:35 +02:00 · 2023-09-15 15:25:35 +02:00 · 054bdfb71c
commit 054bdfb71c
parent 83c164cac3
4 changed files with 121 additions and 1 deletions
--- a/rules/S6751/metadata.json
+++ b/rules/S6751/metadata.json
@ -0,0 +1 @@
+{}
--- a/rules/S6751/secrets/metadata.json
+++ b/rules/S6751/secrets/metadata.json
@ -0,0 +1,56 @@
+{
+  "title": "PyPI tokens should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "extra": {
+    "replacementRules": []
+  },
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-6751",
+  "sqKey": "S6751",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
--- a/rules/S6751/secrets/rule.adoc
+++ b/rules/S6751/secrets/rule.adoc
@ -0,0 +1,63 @@
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+The exact consequences of a PyPI API token compromise can vary depending on the scope of the affected token. Depending on this factor, the attacker might get access to the full account the token is bound to or only to a project belonging to that user.
+
+In any case, such a compromise can lead to source code leaks, data leaks and even serious supply chain attacks. In general, a reputational loss is also a common threat.
+
+include::../../../shared_content/secrets/impact/source_code_compromise.adoc[]
+
+include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+For PyPI, `keyring` is a recommended solution to securely store secrets. Further explanation is given in the example below.
+
+=== Code examples
+
+==== Noncompliant code example
+
+PyPI API tokens can be used to authenticate with PyPI by setting the token as a password in `.pypirc`.
+
+[source,text]
+----
+[pypi]
+username = __token__
+password = pypi-YBf3ZAIKOMPwNZ1VaQ0RAtjww5lI1az1CMLEOWgDQN56EPADfzRmgsENVcmIUh2mSBwYlTtyNKGmVlLm2MZD2aJOTWmD2EO5PMyWjvUY3Ii2CjsidALCNCNmvX8N8gcijBliFN2ciBCLgQdi2YYfGjA1kz19z1UBKg
+----
+
+==== Compliant solution
+
+Instead, Python's https://pypi.org/project/keyring/[`keyring` package] can be used to securely authenticate with PyPI. Once `keyring` is installed using pip, it should be used for authentication automatically. It is also possible to configure it manually using the following:
+
+[source,bash]
+----
+pip config set --global global.keyring-provider subprocess
+----
+
+//=== How does this work?
+
+//=== Pitfalls
+
+=== Going the extra mile
+
+include::../../../shared_content/secrets/extra_mile/permissions_scope.adoc[]
+
+== Resources
+
+=== Documentation
+
+* pip Documentation - https://pip.pypa.io/en/stable/topics/authentication/#authentication[Authentication]
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks
--- a/shared_content/secrets/fix/revoke.adoc
+++ b/shared_content/secrets/fix/revoke.adoc
@ -3,6 +3,6 @@
 Revoke any leaked secrets and remove them from the application source code.


-Before revoking the secret, ensure that no other applications or processes is
+Before revoking the secret, ensure that no other applications or processes are
 using it. Other usages of the secret will also be impacted when the secret is
 revoked.